Components of identity management

A critical finding in our recently released benchmark, “Extending the Enterprise,” is that securing a data center effectively requires that every element within the data center – from switches and routers to servers and storage – be integrated into an overarching security plan.

Identity management represents a key component of that plan. But what is it exactly?  The term identity management can broadly describe everything involved in managing user accounts across multiple systems.

Identity management typically includes the following:

* User account repository – a central repository of user account information that a number of different systems can access, enabling centralized control of user accounts.

* User role definitions – the grouping of users by function, or role, enabling role-based permissions and access authorization.

* Single-sign-on – technology that enables users to sign on and authenticate themselves once, then access multiple resources without re-authenticating.

* Password synchronization – a system that synchronizes the passwords for a user on many different systems and keeps them synchronized through simultaneous password changes on all systems.

* Account provisioning and deactivation.

* Authorization management – a system for managing user access to resources by user, group or role

* Delegation – the ability to delegate user management to a person or group with all the associated workflow and review/approval processes.

* Federation – the ability to delegate user management to an external user or group (For example, a health insurance company will federate user management to each company’s benefits administrator).

* User management workflow – the ability to define a process for user management that includes multiple levels of delegation, review and approval.

* Authentication – a system for authenticating users against credentials, typically stored in a repository.

* Authorization – a system for evaluating whether a specific user may access a specific resource in a specific manner.

* Auditing – a system for recording user access to resources for security purposes.

Data center managers obtain identity management products from a variety of players. A third of the participants in our benchmark use RSA’s SecureID platform, which provides two-factor authentication, indicating the importance of strong authentication and robust security in extranet deployments.

Microsoft’s Active Directory was deployed by another 25% of participants. While Microsoft provides the Identity Integration Server, which offers additional features, we did not find any IT executives who had deployed it. Instead, participants built upon AD, which they used internally for Windows authentication and user management, to provide a unified internal/external identity management system. Novell is used by another 17% of participants, either as a directory service or combined with iChain for external user authentication. Finally, Sun is also used by 17% of participants, with Entrust following with 8%.

Satisfaction with these products varies by vendor; generally, they’re rated highest in terms of reliability, which is a key consideration for IT executives: “Reliability is paramount,” says the CTO of a large financial services firm. Benchmark participants were overall least happy with management capabilities and price. Also, note that many of these products provide highly flexible platforms that can be customized to a particular data center’s needs; many of the IT executives we spoke with reported having done considerable customization.